One possibility is that half-life servers are inherently directory services.
The list of connected players could be used to encode directory data for
the worm to attack.
Owen
--On Friday, August 22, 2003 8:50 PM -0400 Matt Martini
[EMAIL PROTECTED] wrote:
I've scanned my Netflow logs for
: Saturday, August 23, 2003 1:05 PM
Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote:
They were trying to hit servers in multiple subnets, all on ports
270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP
Group [EMAIL PROTECTED]
Sent: Saturday, August 23, 2003 1:05 PM
Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming
[EMAIL PROTECTED]; North American Network Operators Group
[EMAIL PROTECTED]
Sent: Saturday, August 23, 2003 1:22 PM
Subject: Re: W32/Sobig-F - Halflife correlation ???
Hi
Just a quick look at my syslog file, where MOO is the name of my ACL.
fgrep MOO /var/log/cisco/router.log | grep
Message -
From: Robert Blayzor [EMAIL PROTECTED]
To: Matthew E. Martini [EMAIL PROTECTED]; North American Network
Operators Group [EMAIL PROTECTED]
Sent: Saturday, August 23, 2003 3:05 AM
Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/22/03 8:50 PM, Matt Martini [EMAIL PROTECTED
On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP range.
Quake3, HL, etc.
It may be possible it's just probing for other HL servers running on
PM
Subject: Re: W32/Sobig-F - Halflife correlation ???
On 8/23/03 7:17 AM, Darren Smith [EMAIL PROTECTED] wrote:
They were trying to hit servers in multiple subnets, all on ports 270XX.
I'm not sure on this. Lots of gaming servers use the 270XX UDP range.
Quake3, HL, etc.
It may
On 8/22/03 8:50 PM, Matt Martini [EMAIL PROTECTED] wrote:
I've scanned my Netflow logs for activity associated with the 20
machines that SoBig was targeting and I found some very curious
activity.
If what you claim is correct, this could be very bad. The virus is already
there on many
-Original Message-
From: Matt Martini
Sent: Friday, 22 August, 2003 20:51
To: North American Network Operators Group
Subject: W32/Sobig-F - Halflife correlation ???
Are there any halflife vunerabilies that the virus writers
are using?
There are many hl vulnerabilities,